“The early bird catches the worm” Anibal L. Sacco (Ssr Exploit writer) Alfredo A. Ortega (Ssr Exploit writer)
copyright (c) 2005 Core Security Technologies.
Agenda Introduction A bit of history A better choice What is the BIOS BIOS Structure How it works Update/flashing process A Simple way to patch BIOS Where to patch What can be done Shellcodes Virtual machine demo Real hardware demo
copyright (c) 2005 Core Security Technologies.
Introduction Practical approach to generic & reliable BIOS code injection True Persistency Rootkit(ish) behavior OS independant
copyright (c) 2005 Core Security Technologies.
A little bit of history: Commonly used persistency methods: User mode backdoor Kernel mode backdoor How can this be done more effectively?
copyright (c) 2005 Core Security Technologies.
BIOS Level backdoor: Takes control before any other software Stealth behavior Generally forgotten by almost all Antiviruses OS Independant (Runs outside the OS context)
copyright (c) 2005 Core Security Technologies.
What is the BIOS? BIOS stands for Basic Input Output System Boot firmware Hardware initialization (RAM, North Bridge, etc.) Size: 256 Kb and bigger Commonly stored on EEPROM or flash memory
copyright (c) 2005 Core Security Technologies.
BIOS Structure It is composed of various LZH compressed modules Each module has an 8 bit checksum There are some uncompressed modules: Bootblock: In charge of the POST, and emergency boot Decompression routine: decompresses the rest of the modules Various checksum checks.
How it works The first instruction executed by the CPU is a 16 byte opcode located at F000:FFF0 The Bootblock POST (Power On Self Test) initialization routine is executed. Decompression routine is called and every module is executed. Initializes PCI ROMs. Loads bootloader from hard-disk and executes it.
copyright (c) 2005 Core Security Technologies.
BIOS Memory Map
copyright (c) 2005 Core Security Technologies.
Update/flashing process
to add new features and fix bugs. They also provides it's own tools to flash from DOS, wind on South-Bridge and chip used.
neric BIOS flashing tool: flashrom, that supports most motherboard/chip combination.
Code
BIOS
copyright (c) 2005 Core Security Technologies.
A Simple way to patch BIOS BIOS contains several checksums Any modification leads to an unbootable system. We used two techniques: 1) Use a BIOS building tool (Pinczakko's method) 2) Patch and compensate the 8-bit checksum Three easy steps: 1) Dump BIOS using flashrom 2) Patch and compensate 3) Re-flash
copyright (c) 2005 Core Security Technologies.
Where to patch Anywhere is valid: f000:fff0: First instruction executed. INT 0x19: Exected before booting Insert a ROM module: Executing during POST The most practical place: Decompressor It's uncompressed! Located easily by pattern matching Almost never change Called multiple times during boot
copyright (c) 2005 Core Security Technologies.
What can be done Depends. What resources are available from BIOS? Standarized Hard Disk access (Int 13h) Memory Manager (PMM) network access (PXE, Julien Vanegue technique) Modem and other hardware (Needs a driver) Our choice was to modify hard-disk content: 1) Modify shadow file on unix 2) Code injection on windows binaries
copyright (c) 2005 Core Security Technologies.
Shellcodes
des are all in 16 bit BIOS services for everything
debug: BIOS execution enviroment can be emulated running the code as a COM file over D
code: ks ready-signal hecks for services inicialization uns
copyright (c) 2005 Core Security Technologies.
copyright (c) 2005 Core Security Technologies.
How to protect yourself
he initial access with common methods (Antiviruses, Firewalls, etc.) to avoid the BIOS mod
e flash WP (Write Protection) on motherboard
lly signed BIOS firmwares
ading BIOS updates from untrusted sources
copyright (c) 2005 Core Security Technologies.
Virtual machine demo
Virtual machines also have a BIOS! In VMWARE, It's embedded as a section of the main VM process, shared on all Vm Also can be specified on the VMX file for each VM. Is a phoenix BIOS. Very easy to develop because of the embedded GDB server. Using Interrupt Vector Table as ready-signal Two attacks: OpenBSD shadow file Windows code injection This method will infect multiple virtual machines.
copyright (c) 2005 Core Security Technologies.
eal hardware demo
We infected an Phoenix-Award BIOS
Extensively used BIOS
Using the VGA ROM signature as ready-signal.
No debug allowed here, all was done by Reverse-Engineering and later, Int 10h (Not even pr
njector tool is a 100-line python script!
copyright (c) 2005 Core Security Technologies.
Future research Virtualized Rootkit PCI device placement (Modems, VGA, Ethernet and RAID controllers) The ultimate BIOS rootkit... Thank you for your attention!
In VMWARE, It's embedded as a section of the main VM process, shared on all Vms. Also can be ... Using the VGA ROM signature as ready-signal. No debug ...
2.4 Gaining code execution . ... OpenBSD is a Unix-derivate Operating system, focused on security and code ..... So the process injection must be fast. This is the ...
Connect more apps... Try one of the apps below to open or edit this item. core security patterns pdf. core security patterns pdf. Open. Extract. Open with. Sign In.
A fast, cheap and simple analytical method. .... limited data from Jordan ... data. ⢠Some of those: Mishor Yamin,. Revivim â Mashabim, Sde-. Boker, Shivta ...
certain tissues or cell types support replication of the .... Mortality was scored and infectivity was calculated by the computer ..... portable UV lamp at 365 nm.
Mortality was scored and infectivity was calculated by the computer program POLO-PC .... were still trace amounts of AcBacmid BV that escaped centrifugation ...
makes sure all the other chips, hard drives, ports and CPU function ... Check the CMOS Setup for custom settings. 1. ... mouse, hard drive and floppy drive.
Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. BAILEY-BIOS-2011-12.pdf. BAILEY-BIOS-2011-12.pdf. Open.
April 2010, Prahran, Melbourne. ⢠Direct impacts ... Victoria. Currently infrastructure and facilities are designed based on past climate, not future climate. ... Sensitivity of Materials to Climate Change Impacts. Material. CO. 2. Cyclones. & Stor
Climate change impacts â impact upon cycling conditions and infrastructure. Infrastructure and climate change risks for Vic. Primary impacts â impact upon ...
A watermark W embedded in the state d1 is called persistent w.r.t. Q if. â i â [2 ... n] ... watermark embedded in d. .... b.aj = (MSBs of r.aj ) â (ith signature bit).
occurs in anterograde amnesics, at the same magnitude as in adults with unimpaired memory ... approaches that emphasize social accommodation in general (Giles & Coupland,. 1991) and ...... ed as a simple recurrent network. Although the ...
b NTT Communication Science Laboratories, 2-4 Hikari-dai, Seika-cho, ... c Department of Psychology, McGill University, Montreal, Quebec, Canada, H3A 1B1.
Sign in. Loading⦠Whoops! There was a problem loading more pages. Retrying... Whoops! There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. EAR INFECTION INFORM